Bitcoin Forum
December 07, 2016, 02:47:05 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Security warning: trojan stealing coins, swapping C&P addresses  (Read 2954 times)
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
March 22, 2012, 06:28:02 PM
 #1

I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.

The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Nefairo

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
1481122025
Hero Member
*
Offline Offline

Posts: 1481122025

View Profile Personal Message (Offline)

Ignore
1481122025
Reply with quote  #2

1481122025
Report to moderator
1481122025
Hero Member
*
Offline Offline

Posts: 1481122025

View Profile Personal Message (Offline)

Ignore
1481122025
Reply with quote  #2

1481122025
Report to moderator
1481122025
Hero Member
*
Offline Offline

Posts: 1481122025

View Profile Personal Message (Offline)

Ignore
1481122025
Reply with quote  #2

1481122025
Report to moderator
There are several different types of Bitcoin clients. Hybrid server-assisted clients like Electrum get a lot of their network information from centralized servers, but they also check the server's results using blockchain header data. This is perhaps somewhat more secure than either server-assisted clients or header-only clients.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481122025
Hero Member
*
Offline Offline

Posts: 1481122025

View Profile Personal Message (Offline)

Ignore
1481122025
Reply with quote  #2

1481122025
Report to moderator
Remember remember the 5th of November
Legendary
*
Offline Offline

Activity: 1526

Reverse engineer from time to time


View Profile
March 22, 2012, 06:35:43 PM
 #2

I'm after being in contact with one of GLBSE's users who's funds have didn't seem to show up. After more investigation we discovered that he has a trojan/malware.

The malware recognises any bitcoin addresses that are copied, and replaces them with a new address, when you copy an address from your service you're using (GLBSE.com, Intersango.com) to your bitcoin client to transfer your coins, the malware replaces them with the scam address, so that your coins are sent to the hacker.

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Nefairo

Figures, Linux is not nearly exploitable.

BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
RodeoX
Legendary
*
Online Online

Activity: 2114


The revolution will be monetized!


View Profile
March 22, 2012, 06:38:55 PM
 #3

So am I correct in assuming that a countermeasure could be verifying the address before sending? Or does it make the change in a way that is not visible to the user?

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf

Free bitcoin=https://bitcointalk.org/index.php?topic=1610684
Kaos
Member
**
Offline Offline

Activity: 64



View Profile
March 22, 2012, 06:45:56 PM
 #4

what's the dodgy bitcoin address? Is it static or does it change every time?!
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
March 22, 2012, 06:48:59 PM
 #5

Quote
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now

From the user.

It's a new address each time.

I believe that visually verifying the address will protect against this.

The addresses so far:
17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd
14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
March 22, 2012, 07:04:09 PM
 #6

I mean that sucks but on the other hand I got to say awesome to the malware writer.  Get the user to send coins to the wrong address.  No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc.  Just get the user to send you money.

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
March 22, 2012, 07:04:58 PM
 #7

When I have more details on the software involved/responsible I will update, in the meantime make sure to double check the address you copy/paste.

I believe that this is a windows only vulnerability.

Possibly related:
 - http://stackoverflow.com/questions/400212/how-to-copy-to-the-clipboard-in-javascript

MysteryMiner
Legendary
*
Offline Offline

Activity: 910



View Profile
March 22, 2012, 10:52:58 PM
 #8

Trojan that replaces the filled data for bank transfers was around at least 4 years ago. Adopting such system for Bitcoin is no brainer.

I was looking for exploit to copy address to clipboard using javascript but it did not work with FireFox without user intervention. I abandoned the idea.

1LEaxxAh1LKFUvDKYVhiMEVAHRM7K5o7cF
foggyb
Legendary
*
Offline Offline

Activity: 1302


View Profile
March 22, 2012, 11:25:17 PM
 #9

I mean that sucks but on the other hand I got to say awesome to the malware writer.  Get the user to send coins to the wrong address.  No need to keylog, hack the client, look for wallet.dat, spoof RPC, etc.  Just get the user to send you money.



I've been WONDERING when the first hacker would do this. Its so obvious.
drakahn
Hero Member
*****
Offline Offline

Activity: 504



View Profile
March 22, 2012, 11:27:32 PM
 #10

Quote
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now

From the user.

It's a new address each time.

I believe that visually verifying the address will protect against this.

The addresses so far:
17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd
14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ

Any info what the optimised miner was? or a link to the thread?

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
March 22, 2012, 11:47:11 PM
 #11

No I've not heard back.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
foggyb
Legendary
*
Offline Offline

Activity: 1302


View Profile
March 23, 2012, 12:09:35 AM
 #12

Quote
any ways what it did is when i copied the btc address from your site in a browser and pasted to my account on btc-e in another browser tab to request withdrawal it would paste a different address i didnt notice it till today it was in a link on bitcointalk.org for an optimized miner so i downloaded the miner and ran it nothing happened so i just ignored it and didnt think anything of it until now

From the user.

It's a new address each time.

I believe that visually verifying the address will protect against this.

The addresses so far:
17PPGjFhmvt75yPAd5yFv9iYyBGQfHevnd
14Yq1jKRqwbb9oExcyZFZ6a92QTk333WEZ

Is it possible for malicious code to detect a <mousebutton-down> event on a send dialog box, then insert the hackers address a millisecond later? In such a case, visual verification may not thwart the attack.

A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
March 23, 2012, 12:25:48 AM
 #13

A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).

or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO
marked
Full Member
***
Offline Offline

Activity: 168



View Profile
March 23, 2012, 12:27:46 AM
 #14


Any info what the optimised miner was? or a link to the thread?

neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat.

marked
drakahn
Hero Member
*****
Offline Offline

Activity: 504



View Profile
March 23, 2012, 12:29:04 AM
 #15


Any info what the optimised miner was? or a link to the thread?

neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat.

marked

i know... i'm the one discussing, lol

http://xml.ssdsandbox.net/view/91c66258f4294c95a77a6aaa8ef3ec39

it reads your wallet.dat as well, so if you notice this make sure to make a new wallet for your coins

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
March 23, 2012, 12:37:27 AM
 #16


Any info what the optimised miner was? or a link to the thread?

neheminer 2.0 is believed to currently be the miner, discussion now on btc-e chat.

marked
Thats funny, the affected user was sent to me from btc-e.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
marked
Full Member
***
Offline Offline

Activity: 168



View Profile
March 23, 2012, 01:01:27 AM
 #17

i know... i'm the one discussing, lol

http://xml.ssdsandbox.net/view/91c66258f4294c95a77a6aaa8ef3ec39

it reads your wallet.dat as well, so if you notice this make sure to make a new wallet for your coins

oops, didn't see far enough back to see you were already there talking about it.

marked
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
March 23, 2012, 03:48:33 AM
 #18

Check address.

CIYAM
Legendary
*
Online Online

Activity: 1820


Ian Knowles - CIYAM Lead Developer


View Profile WWW
March 23, 2012, 04:00:59 AM
 #19

A 'lock address' function could help. The address locks the moment is it pasted into the field. No unlock (except cancel).

or just a regular confirmation dialog... Are you sure you want to send 1 million bitcoins to 1ffjfitetwrexjf...? YES / NO


Unfortunately it's fairly easy to write software to send a Yes/No the instant the confirmation dialog appears (I built a tool for doing this in order to get around some shareware nags years ago).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
dayfall
Sr. Member
****
Offline Offline

Activity: 312



View Profile
March 23, 2012, 04:44:21 AM
 #20

Perhaps someone could code vhash into their webpage and into a client.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!